{"vuid":"VU#346982","idnumber":"346982","name":"EMC Document Sciences xPression contains multiple vulnerabilities","keywords":["EMC","SQL injection","XSS","CSRF","redirect","CWE-22","CWE-89","CWE-79","CWE-601","CWE-352"],"overview":"EMC Document Sciences xPression 4.2 Patch 16 and possibly earlier versions contain path traversal, SQL injection, cross-site scripting (XSS), open redirect, and cross-site request forgery (CSRF) vulnerabilities.","clean_desc":"EMC Document Sciences xPression 4.2 Patch 16 and possibly earlier versions contain the following vulnerabilities in the xAdmin and xDashboard applications: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-6177 The xDashboard application allows unauthorized users to read arbitrary files from the file system using the model.logFileName parameter of the /xDashboard/html/jobhistory/jobLogDisplay.action file. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2013-6176 The xAdmin application has multiple parameters that are susceptible to SQL injection attacks from an unauthorized user. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross Site Scripting') - CVE-2013-6175 The xAdmin application is vulnerable to a stored cross-site scripting attack through the marker_name parameter of the /xAdmin/html/op_xp_marker_gen.jsp file. Additionally, both the xAdmin and xDashboard applications are vulnerable to reflected cross-site scripting attacks through numerous parameters in each application. CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2013-6174 The xAdmin application contains multiple files with a vulnerable redirectURL parameter. CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2013-6173 The xAdmin and xDashboard applications do not implement a mechanism to prevent cross-site request forgery attacks on input forms. It was reported that Document Sciences xPression version 4.2 Patch 16 and possibly earlier versions are affected by this vulnerability. EMC has stated that this vulnerability exists in version 4.2 before Patch 26 and version 4.5 before Patch 05, but does not exist in versions 4.1.x. The CVSS score reflects the path traversal vulnerability (CVE-2013-6177).","impact":"An attacker may be able to read files from the filesystem, read or modify data in the application database, execute arbitrary scripts in the context of a victim's browser, redirect users to other websites,  and forge requests on behalf of the victim.","resolution":"Apply an Update The vendor has released an update to address these vulnerabilities. Affected users are advised to apply one of the following updates: EMC Document Sciences xPression 4.1 SP1 Patch 47 and later \nEMC Document Sciences xPression 4.2 Patch 26 and later \nEMC Document Sciences xPression 4.5 Patch 05 and later EMC has released a security advisory addressing these issues.","workarounds":"","sysaffected":"","thanks":"Credit goes to Verizon Enterprise Solutions - Threat and Vulnerability Management (GCIS) \nFor Discovery: Sertan Kolat and Omer Coskun\nFor Analysis and coordination: Thierry Zoller","author":"This document was written by Todd Lewellen.","public":["http://seclists.org/bugtraq/2013/Nov/att-94/ESA-2013-078.txt","http://www.emc.com"],"cveids":["CVE-2013-6173","CVE-2013-6174","CVE-2013-6175","CVE-2013-6176","CVE-2013-6177"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-06-14T17:22:11Z","publicdate":"2013-11-20T00:00:00Z","datefirstpublished":"2013-12-02T18:25:17Z","dateupdated":"2013-12-02T18:25:20Z","revision":23,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.8","cvss_basevector":"AV:N/AC:L/Au:S/C:C/I:N/A:N","cvss_temporalscore":"5.3","cvss_environmentalscore":"1.33589903832","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}